Memorandum submitted by Symantec (SAGE
40)
Today the very foundations of our modern society
and economic stability are increasingly being built on electronic
communication infrastructures that span across national, European
and international borders and the data that is shared, processed
and stored within these networks. Safeguarding these electronic
networks and systems from possible cyber attack or disruption
has therefore become a component of countries emergency preparedness
and critical national infrastructure protection. In light of the
increasingly complex and evolving online threat environment and
the possible impact of cyber related attacks Symantec welcomes
the Committee's inclusion of cyber attack as one of the potential
case studies in this inquiry.
The following submission aims to provide input
to the questions raised in relation to a potential cyber related
emergency in the UK given the current online threat environment.
It should however be noted that the following input is not based
on, or related to any specific cyber security incident in the
UK.
What are the potential hazards and risks and how
were they identified? How prepared is/was the Government for the
emergency?
For the last seven years Symantec has produced
its Internet Security Threat Report which provides an overview
and analysis of worldwide Internet threat activity and a review
of known vulnerabilities and trends in activities such as phishing,
denial of service attacks, botnets and spam. According to the
latest report in 2009 alone Symantec created over 2.8 million
new malicious code signatures which represents 51% of all malicious
code signatures ever created by Symantec.[13]
Not only is the sheer number of new malicious codes, and therefore
new cyber threats, increasing worrying but what is also key is
how these malicious codes are being used by attackers to support
multistage and increasingly sophicated and targeted attacks on
systems and networks. For example the recent Stuxnet incident
represents an example of a threat designed to gain access to and
reprogram industrial control systems specifically.
The Stuxnet incident provides a real life case
study of how such an organised and structured cyber attack on
critical infrastructure systems can succeed and how they could
be used in the future. While details of the attack are still unfolding,
with further analysis currently taking place, it is estimated
that at least four zero day vulnerabilities attacks were involved
in the incident which allowed attackers to steal confidential
Supervisory Control and Data Acquisition (SCADA) design, usage
and control documents for industrial systems such as those used
by the energy sector. This is the first time that so many zero-day
vulnerabilities have been exploited in one attack and indicates
that the people needed to develop and execute such an attack were
not amateurs. It is understood that once the attackers gained
entry into the targeted systems a root kit was used to hide their
presence while they targeted software within the systems used
to control industrial assets and processes. It is also believed
that stolen digital certificates were used in the attack to mask
their trail through the compromised systems. The use of zero-day
vulnerability, root kit, stolen digital certificates, and in-depth
knowledge of SCADA software are all high-quality attack assets
and points to an estimated group of at possibly up to ten people
involved in developing this specific, targeted and technically
sophisticated cyber attack.
In the past this type of cyber attack focusing
on critical national infrastructures were seen by many as theoretically
a possibility however it is fair to say that most would have dismissed
such an attack as simply a movie-plot scenario. Symantec believe
the Stuxnet attack is clear evidence that such attacks are real
and a possible threat and are no longer just a theory but a reality
that countries need to prepare for. According to a recent survey
by Symantec 53% of all firms surveyed suspected or were pretty
sure that they had experience an attack on their systems waged
with a specific goal in mind.[14]
The Stuxnet incident has shown that such targeted, organised threats
do exist where external actors motivated possibly by organised
crime, terrorism or even hostile nations, attempt to gain control
of industrial processes and then place that control in the wrong
hands.
Overall cyber attacks are becoming increasingly
complex, sophisticated and organized. No longer are online attackers
motivated by notoriety but by economic gain with access to systems
for information being a key target. Information that can then
be sold as a commodity on the underground economy and possibly
used in further attacks such as through social engineering or
more targeted attacks on institutions. In fact in a number of
cases there have been reports of attacks aimed at not causing
disruption, but rather at collecting intelligence and stealing
confidential information.
While the Committee's focus on the UK's preparedness
for a potential cyber related incident is understood, from the
perspective of the computer security industry, and on the basis
of experience to date, it is suggested that the Internet itself
has been resilient to possible large scale cyber attacks. The
Internet is simply a series of interconnected computer networks,
systems and essentially large servers based all around the world.
As with any electronic or computerised system these computers
are reliant on electrical power to function. Therefore it may
be possible that a natural disaster or perhaps offline traditional
emergency, such as the other case studies being considered by
the Committee that impacts or disrupts power within a country
or region, could potentially affect the ability of the Internet
users to gain access to online networks or systems. Physically,
therefore the internet is susceptible to regional interruption
such as when cables are broken. Such outages have occurred when
an undersea cable providing network connectivity to the Middle
East were damaged.
Clearly though the risks and threats to the
security, integrity and resilience of the Internet have certainly
increased over recent years. This together with the shift towards
greater interoperability between internet based networks and systems
means that a targeted cyber attack has the potential to have a
cascading effect and impact on other connected systems. It is
therefore vital that adequate levels of protection are in place
that can identify risks quickly and effectively particularly given
the significant increase in criminal use of the Internet for purposes
such as identity theft and extortion.
In response to the question of how prepared
the Government is for a potential cyber related emergency it is
important to recognize that ensuring the ongoing resilience and
stability of the Internet is a responsibility that is shared by
all those using the Internet. While the Government has a role
to play in considering and addressing preparedness for cyber related
issues, it should be noted that cyber security issues cannot be
solved by ISP's, software manufactures, law enforcement, government
or even individuals alone. The nature of the internet and IT technology
is such that no single person can be held accountable and we all
share a collective responsibility to protect ourselves and our
customers whether they be businesses, users or citizens.
Overall Symantec believes that a modern approach
to cyber security must be balanced between protection against
and preparedness to address possible incidents. Symantec therefore
welcomed the creation of the Office of Cyber Security and the
Cyber Security Operations Centre. The role of these bodies to
provide coordination across government of activities in this area
and operational response to cyber incidents are seen as key for
ensuring efforts across government to recognise, identify and
therefore address cyber related issues. In addition the willingness
of the Office of Cyber Security to engage and work with industry
is also welcomed given the shared responsibility to prepare for
and address cyber incident as and when they occur. In addition
to the Office of Cyber Security, it is recognised that the UK
has a number of different bodies that are active in addressing
cyber security related issues at many different levels ranging
from e-crime to critical national infrastructure protection that,
as explained above, can be interconnected given the multi-layered
cyber security risks and attacks being perpetrated. These bodies
include the important work of CPNI and the UK e-Crime Police Unit
which also play an important role in addressing cyber security
issues in the UK.
How does the Government use scientific advice
and evidence to identify, prepare for and react to an emergency?
From the perspective of the computer security
industry Symantec is supportive of government efforts to gather
advice and information as needed and remain committed to assisting
in this work as and where appropriate and within the boundaries
of the law.
Given the complex cyber ecosystem of the internet
it is suggested that the threat information, technical intelligence
and cyber security related expertise and advice that may be needed
in a cyber related incident will reside across a number of different
sources both inside and outside of government. For example it
is estimated that 90% of critical national infrastructures that
are increasingly reliant on interconnected networks and systems,
and therefore a possible target for cyber attacks, are privately
owned and managed. As a result public and private sector co-operation
and collaboration is seen as a key factor to assisting not only
the government but also industry to identify, assess and evaluate
the level of seriousness of a cyber related incident and better
prepare for and react. Symantec believes that information sharing
is a fundamental component of a modern cyber security strategy
and that the development of trusted information sharing networks
and systems is a key element to the development of successful
public and private cooperation.
What are the obstacles to obtaining reliable,
timely scientific advice and evidence to inform policy decisions
in emergencies? Has the Government sufficient powers and resources
to overcome the obstacles?
It is suggested that a main obstacle to obtaining
timely information in a cyber related incident is the online threat
environment itself as it continues to evolve at an ever increasing
pace with risks and attacks emerging, mutating or evolving into
new variants and therefore new attacks. It is suggested that cyber
attacks are unlike the other case studies being considered by
the Committee as the online threat environment is constantly shifting
and changing. As a result in order to respond to this changing
threat landscape having the most up to date information, threat
intelligence and situational awareness of the changing threat
landscape is vital to making decisions in a timely manner and
deploying effective countermeasures as and where necessary.
Symantec believe early warning capabilities
and real time online threat intelligence are vital components
of a cyber security response strategy. Having the right information
at the right time can provide an effective means to guarantee
a timely response to an attack on critical information and/or
communication systems. Having real-time information collection,
correlation, analysis and response capability can provide organisations
with the ability to identify recognise key threats or emergencies
and have the timely information to assess priorities and address
cyber incidents quickly and effectively. Collecting and analysing
threat intelligence is a complex process however that requires
significant engineering skills, specific technical infrastructures
to be in place and in some cases human intelligence skills.
Having the right information at the right time
is clearly important in preparing for and reacting to an emergency
situation. However in the event of a situation where online networks
and the information that flows through such systems is attacked
or compromised it is also suggested that the ability to gain access
to critical information assets is also important to an organisation's
ability to respond and recover from an attack. Organisations are
increasingly being targeted by online threats focused on gaining
access to their data. Information is seen as a valuable commodity
for cyber criminals that can be sold on the underground economy
or used to develop more targeted sophisticated attacks. In addition
attacks are also being seen where the aim is simply to disrupt
or even suppress the availability of information or the network
and systems upon which information is transmitted, for example
in the case of distributed denial of service attacks. As a result
the ability of organisation to recover from a cyber incident can
rely not only on the ability to identify and stop an attack, but
also the ability to gain access to key information assets needed
to restore the availability of affected online systems. However,
with the increasing take up of data virtualization and cloud computing
the way in which organisations manage and store information is
changing. However, in the event of a cyber incident the ability
to gain secure access to the data needed to restore online services
will be vital to the ability of organisations to recover quickly
and effectively. Therefore it is considered important that organisations,
both in the public and private sector, have in place the ability
to gain access to key information assets securely using technological
tools such as encryption and authentication as well as appropriate
policies and procedures to enable the restoration of data and
therefore the online systems and networks impacted.
How effective is the strategic coordination between
Government departments, public bodies, private bodies, sources
of scientific advice and the research base in preparing for and
reacting to emergencies?
As outlined above the resilience, stability
and security of the internet is a joint responsibility that must
be shared by all those using the Internet. Therefore coordination
and cooperation between the public and private sector on cyber
related issues is seen as an important component to a cyber security
strategy not only in the UK but globally. It is suggested that
coordination between public and private sector on cyber related
issues occurs at many different levels and areas of the UK internet
community depending on the sector involved, the specific type
or level of seriousness of the threat or risk.
It is suggested that an example of an effective
strategic coordination and cooperation between governments and
industry, not only in the UK but globally, is the role of Computer
Emergency Response Teams. CERTs provide a national focal point
for information, guidance and provide warning, reports and alerts
on cyber incidents. The CERT model brings together both government,
industry as well as academic partners and is flexible to enable
countries to develop multiple CERTS, or different types of CERTS,
depending on the particular requirements and needs depending on
the type or risk or threat activity that may need to be covered.
Symantec supports the CERT model for coordination and cooperation
and see it as an appropriate means of sharing information and
encouraging a collaborative approach to addressing cyber related
issues within countries between key partners involved in cyber
incidents and also between countries internationally.
How important is international coordination and
how could it be strengthened?
As recognized by the Committee's question addressing
the cyber security challenges we face requires international coordination.
Internet security is a global problem that requires a global approach
given that threats and attacks can travel around the world simply
at the click of a button. With the move away from closed, nationally
protected computer networks to a more borderless, open, accessible,
Internet based, networked environment means there is a greater
dependency and reliance on internet based systems and networks
internationally. This shift means the need to recognise that cyber
related risks and attacks could now impact and affect more than
just one nation but could have a regional or international impact.
Therefore there is an increasing need to highlight and consider
the role of international co-operation and collaboration in identifying
and addressing cyber risks and threats.
The UK's involvement in European and international
forums where cyber security issues are discussed such as ENISA,
UN Internet Governance Forum, ITU and OCED as well as the UK's
participation in cyber security related exercises such as Cyber
Storm are welcomed and supported by Symantec and should continue
going forward to ensure the UK can continue to play a leading
role in international efforts as they may evolve.
Looking ahead and given the increased interdependency
of countries networks and systems it is suggested that information
sharing has a key role to play in effective cooperation and coordination
against cyber related threats. A common and shared understanding
of the threat landscape is necessary to not only enable greater
identification and recognition of possible threats and risks but
also ensure efforts to address possible risks or specific incidents
are effectively deployed as and where appropriate. The proposed
creation of a European Information Sharing and Alert System (EISAS)
within the recent European Commission's Communication on "Protecting
Europe from large scale cyber-attacks and disruptions" could
be one step towards developing greater capabilities in Europe
for sharing information and providing alerts. It is important
however that the development of any common European, or even international
system, recognizes and takes into account the current activities
already underway as well as the tools and solutions developed
and implemented by industry. Given the experience of industry
in this area it is important that ways are found to involve those
in industry with the technical capabilities, skills and expertise
in the development of any coordinated European or international
approach.
To assist in the development of information
sharing initiatives and as a way to ensure greater effectiveness
in information sharing between European and international partners,
Symantec believe consideration should also be given to the development
of a common language, or terminology, for security incidents,
response and escalation that could be used across the UK, Europe
and beyond. The ability of stakeholder to speak the same technical
language in the event of a cyber-attack could help promote greater
cooperation and cohesiveness in responses to incidents not only
across Europe perhaps but internationally.
However it is also important when considering
how to encourage greater or strengthen international co-operation
and collaboration between countries not only the action needed
before an incident may occur but also the cooperation and collaboration
that may be needed during and after a cyber incident. The events
in Estonia and Georgia are real life examples of how sophisticated
and targeted large scale cyber attacks can be. These incidents
also raised questions over the extent to which relevant parts
of EU Member states national administrators possess the technologies
needed and e-skills to address cyber-attacks if they occur or
address issues related to the protection of the internet. It is
therefore suggested that a way to strengthen or enhance international
cooperation may be by developing initiatives that can enable the
sharing of technical expertise and guidance on how to address
cyber security related incidents. The establishment of NATO Cooperative
Cyber Defense Center of Excellence in Tallinn, Estonia which is
supported by Symantec is an example of a project that has developed
to foster greater understanding and sharing of expertise on how
to react to and address cyber related incidents.
However, while cooperation at a European or
international level is important, this should not be a substitute
for countries taking a national approach that is appropriate to
their level of maturity, identified risk and therefore specific
requirements. The publication of the UK's cyber security strategy
was welcomed by Symantec as an important move forward in helping
to co-ordinate, and maximise, efforts already well underway across
government that currently seek to address cyber security related
issues. Also supported was the importance place throughout the
strategy on the need to ensure international engagement and the
importance of the UK contributing to international discussions
on how to address the current and future online threat environment
not only in the UK but on the global stage.
Symantec
October 2010
ABOUT SYMANTEC
Symantec is a world leader in providing solutions
to help individuals and enterprises assure the security, availability,
and integrity of their information. Headquartered in California,
Symantec has operations in more than 40 countries. Further information
can be found at www.symantec.com.
13 Symantec Internet Security Threat Report April 2010
http://www.symantec.com/business/theme.jsp?themeid=threatreport&inid=us_ghp_banner1_istr Back
14
Symantec Internet Security Threat Report April 2010 http://www.symantec.com/business/theme.jsp?themeid=threatreport&inid=us_ghp_banner1_istr Back
|